Cybersecurity and Deterrence

A Response on Persistent Engagement and Agreed Competition

By Michael P. Fischerkeller, Richard J. Harknett
Thursday, June 27, 2019, 10:30 AM

In a recent Lawfare essay, Jim Miller and Neal Pollard offer an important and positive assessment of the strategy of persistent engagement, a strategic approach designed to thwart adversary cyberspace campaigns by continuously anticipating and exploiting vulnerabilities while denying their ability to exploit U.S. vulnerabilities. Persistent engagement achieves this through operations that support resiliency, defending forward, contesting and countering to achieve strategic advantage. Miller and Pollard’s work represents a welcome focus from the national security intellectual establishment, which will help advance this new approach to managing cyberspace. Continuing cyber-related policy refinement anchored on persistent engagement is a necessary step toward advancing national interests in and through cyberspace and should be a focus of both national security policy and academic communities. However, in their assessment, Miller and Pollard express concerns regarding the associated construct of agreed competition—which, in our view, enables policymakers to capture the broader dynamics to which persistent engagement is primarily seeking to manage. We welcome this exchange and offer this essay in response.

Here, we build on our previous work on Lawfare regarding persistent engagement and agreed competition. Rather than offer a comprehensive point-by-point reply to Miller and Pollard’s concerns, we’ve taken this opportunity to highlight and clarify what appears to be a root source of disagreement—differing perspectives on how to describe cyber behavior below the threshold of armed attack and the policy prescriptions that follow from that description. Viewing persistent engagement through the prism of “agreed competition” helps in understanding this behavior as distinctly strategic in intent and not as a prelude to war (that is, not prone to escalation) nor old hat (that is, not just a new version of espionage or sabotage).

Agreed competition is a structurally derived, strategically reinforced, empirically supported construct that describes the cyber strategic competitive space short of armed conflict and the behaviors witnessed therein over the past decade and more. States have and continue to engage in cyber campaigns and operations that intentionally and overwhelmingly avoid coercion and related strategies of escalation but are nonetheless quite serious. Great power strategic competition will continue to be played out using these traditional methods of war and coercion, but cyberspace’s emergence has provided a novel medium in, through and from which states pursue new means, ways and strategies for achieving strategic ends. Miller and Pollard argue that agreed competition is a limited construct and that it is irrelevant to the larger set of international relations behaviors. We argue just the opposite: The concept encompasses a broad set of behaviors that challenge relative power and in so doing actually broadens the playing field of international relations. The construct of agreed competition describes the majority of cyber campaigns, operations and interactions over the past decade or more; states are treating these cyber actions collectively as competition, not as armed conflict. Despite the ubiquitously loose use of the term “cyberwar” by many analysts and government officials, states are not treating these campaigns and operations as war.

The “agreed” element of this construct is not normative nor tactical (as of yet). We think the construct provides analytical utility and offers novel strategic and operational insights (many of which we discussed in our original Lawfare essay). States do not assent nor accord to these behaviors under a notion of acceptability. They do not have to like this game, but they should not deny its existence: Through their actions, states have agreed to engage in adversarial competition short of armed attack to shift the relative distribution of power in the international system. The fact that these interactions have yet to precipitate war is not luck. It is a consequence of the choice by states to compete intensely, but differently, without primarily leveraging doctrines and strategies of war and coercion (including prospective threats of response). As we’ve argued previously, that choice is informed by both structural incentives organic to cyberspace and strategic rationales—including, but not limited to, U.S. strength in the strategic space of armed attack, which serves to deter adversaries from escalating out of agreed competition into armed conflict (a point made in the U.S. Defense Department 2018 Cyber Strategy).

A critical difference between Miller and Pollard’s perspective and ours rests on views of coercion and escalation. Miller and Pollard suggest that we “wave away” escalation as a serious concern. But we have been direct in our preoccupation that persistent engagement must be pursued thoughtfully to avoid accidental or inadvertent escalation and to discourage deliberate escalation out of the boundaries of agreed competition on an adversary’s part—a salient concern given the immaturity of the competition.

There exist structural and strategic reasons suggesting such escalatory outcomes are not inevitable. Increased cyber operations and campaigns are not ipso facto aggressive, offensive nor escalatory; rather, they can be assertive, defensive and stabilizing, something with which Miller and Pollard concur.

What differentiates much of this agreed competition behavior to date from traditional great power efforts to affect changes in relative power, in our view, is the following:

  • The approach taken by adversaries does not rest on implicit or explicit threats of escalation or brute force. Rather, the approach primarily is nonattributive and exploitative, leveraging both cyber-enabled anonymity and cyber-derived vulnerabilities in the pursuit of immediate and long-term policy objectives; these cyber campaigns and operations are, therefore, primarily not coercive nor strategically destructive.
  • Many of the most consequential outcomes result from exploitative operations linked together in campaigns to achieve strategic advantage. Adversaries are targeting relative power. Miller and Pollard argue that the strategic impact of these cyber-enabled campaigns is further enhanced when adversaries couple them with other, non-cyber-related activities. We agree but do not believe that agreed competition is descriptive of those other activities, their interaction dynamics or the structural spaces in which they play out, as we explained in our Lawfare essay.

Throughout our work, we have continually discussed agreed competition as inclusive of behaviors in, through and from cyberspace supporting policy objectives. Agreed competition, in our view, includes China’s cyber-enabled theft of intellectual property to gain competitive advantage, North Korea’s exploitation of the SWIFT banking protocol to circumvent sanctions, and Russia’s cyber-enabled disinformation campaigns to shake confidence in democratic institutions and alliances. Importantly, the Chinese behavior has not, to our knowledge, ever been described as coercive or comprising threats of escalation. Instead, the strategic gains achieved by China have resulted from campaigns comprising exploitative operations, not coercive ones.

Miller and Pollard note this Chinese behavior and thus presumably would see it as strategically important. But they define a category of “competition that matters most” as “that which involves the pursuit of strategic gains and dynamic interactions carrying vertical and horizontal escalation risks.” Escalation risks are important, but they should not be the key variable in defining strategic significance. We disagree with their perspective that the competition that matters most is that which involves risk of escalation. Such competition certainly is of relevance when considering how best to leverage a strategy of deterrence to avoid escalation into armed conflict (including cyber effects equivalent to armed conflict) but, as we’ve noted previously, such instances have been few and far between. Persistent engagement considers the noncoercive, nonescalatory behaviors of U.S. adversaries to date as strategically significant and as activities that must be countered or contested. What “matters most,” in Miller and Pollard’s language, is the behavior adversaries are actually leveraging daily to undermine relative power.

In agreed competition, the dominant strategic choice is operational persistence and the central dynamic is competitive interaction, not escalation. Miller and Pollard argue that the use of noncyber instruments of national power in response to cyber behaviors is horizontal escalation. This would be an accurate characterization if the cumulative effect of these instruments threatened greater harm than the use of a single instrument alone, but this is not always the case. Consider, for example, the 2015 Obama-Xi agreement on cyber theft—a diplomatic instrument. After this agreement did not curb China’s theft of intellectual property in a sustained way, the U.S. government levied numerous indictments against Chinese nationals, intelligence officers and a Chinese state-owned company for various economic theft charges. Leveraging the law enforcement instrument of power was arguably not escalatory; rather, it was a reflection that the diplomatic instrument was proving ineffective. We agree with Miller and Pollard that the U.S. should be comprehensive in exploring the use of all instruments of power to achieve its desired ends, but doing so is not ipso facto escalatory.

In addition, Miller and Pollard describe China’s intellectual property theft, the North Korean operation against Sony and Russia’s social media campaigns as vertical escalation. We presume they adopted that vernacular because, over time and in the absence of a staunch U.S. response, these states became increasingly bold in pursuing strategic gains through cyber campaigns. Miller and Pollard may use the term “escalation” as they see fit, of course, but we think such use promotes confusion and would distinguish between behaviors best characterized primarily as competitive “interaction”—i.e., increases (or decreases) in scope, scale and intensity of campaigns with the intention of keeping effects short of armed conflict—versus behaviors that are best characterized as coercive “escalation”—increases (or threats thereof) with the intent of generating armed-attack equivalent effects, thereby breaching the integrity of agreed competition.

Both analytical utility and policy clarity are gained when one does not impose terms and definitions associated with the strategic space of armed conflict on the new cyber strategic competitive space that exists short of armed conflict. Herman Kahn defined “escalation” as moving to the next level of conflict in the space of armed conflict. When the term is used in cyberspace discussions, it is generally used in the same way, expressing concerns about an escalatory dynamic of cyber operations resulting in armed-attack-equivalent cyber effects or armed attack itself. No doubt this is a serious concern, but to focus on it to the exclusion of competitive interaction in agreed competition is to ignore the central interaction dynamic characterizing how states seek strategic advantage short of armed conflict. This also elides the utility of using different terms to emphasize the different dominant dynamics.

Miller and Pollard agree with our distinction that deterrence can be an “effect” of any strategic approach taken toward competition (and conflict). Indeed, we argue that a strategy of persistent engagement in agreed competition may contribute to such an effect by leveraging the exploitative character of cyber capabilities to actively and continuously impose costs in competition rather than merely threatening to do so in crises or armed conflict. For example, the U.S. might channel an adversary into internally focused or self-defeating behaviors, thereby redirecting that adversary’s attention away from hostile competition with the U.S. In the persistent engagement context, the strategic choice is one of seeking to gain and sustain the initiative over the adversary, rather than waiting to respond.

Miller and Pollard also present three related arguments. In their view, first, agreed competition is flawed as an analytical or even descriptive construct because agreements may not extend to adversaries’ uses of other means and/or ways of achieving the same desired strategic ends; second, policymakers’ acceptance of the construct of agreed competition would encourage cyber-only responses to cyber-related actions; and third, adversaries might cheat on agreements. The first point, in our view, is not a critique of agreed competition but, instead, an expected outcome if persistent engagement is successful in driving an adversary away from leveraging cyber means and/or ways to achieve a strategic end. Policymakers should not assume that gaining strategic advantage in cyberspace will lead in toto to an adversary pursuing that end. This is why a “Whole of Nation+” approach (in which all instruments of national power are involved in numerous ways) should be used to blunt the adversary’s achievement of strategic ends—if persistent engagement makes cyber means and/or ways less effective, adversaries will naturally gravitate to using other means and/or ways in other domains and sectors, and the U.S. should anticipate and be prepared for that possibility. In fact, U.S. policymakers have already shown a willingness to use noncyber responses to adversaries’ cyber-related actions. It’s unclear to us why adopting the construct of agreed competition would sway them otherwise—and, thus, we disagree with Miller and Pollard’s second point.

Regarding their third concern, a history of international relations suggests that adversaries will most surely cheat, or try to, on tacit or explicit agreements. This has not been uncommon across a variety of sectors; consider Russia’s cheating on the Intermediate-Range Nuclear Forces Treaty as a recent example. Calling out agreed competition because it too will be subject to cheating seems an unreasonable basis for critique. Moreover, defending forward and anticipatory resilience under persistent engagement would better position the U.S. to anticipate transgressions and either blunt them or prepare for their potential consequences.

In the end, Miller and Pollard advance a positive assessment of persistent engagement, and we are grateful they pushed us toward greater clarity and presented an opportunity to expound further in this response. Our two analyses converge on the point that cyberspace is enabling great power competition and new strategic responses are necessary.

We believe that there is further analytical utility to adding the notion of “agreed” to this conversation. It suggests some boundary conditions that allow academics, the defense community and policymakers to view the big picture, a recognition that the space below armed conflict is going to be a strategically relevant intense competition that will be played out with strategies and techniques that differ from those we apply to armed conflict. Features of cyberspace such as its speed, scale and scope will also amount to the creation of qualitatively different dynamics in this arena. Although coercion and escalation remain relevant, the convergence of cyber behaviors around different strategic choices and dynamics on a daily basis suggests to us a tacit agreement to play a different, but equally serious, game. Along with managing the prospect of war, the United States will have to participate and manage this new competition as well.